This article is only applicable to non-Paycor customers.

Note: These instructions are current as of Feb 3, 2021, and may not represent exact instructions as links or sites may change. Please contact us for more details if you are having difficulty with the setup.

Tip: These instructions apply to SSO only; you'll still need to manually provision and deprovision accounts in 7Geese.

  • Step 1: Login to Office 365 as an admin
  • Step 2: Click on ‘Admin’
  • Step 3: On the navigation bar, find the entry for Admin centers and expand it. Open the link to ‘Azure Active Directory’
  • Step 4: Click ‘Enterprise Applications’ from the navigation bar.
  • Step 5: From the ‘All Applications’ pane, click ‘+ New application’
  • Step 6: Click ‘Non-Gallery Application’.

Note: It may be helpful during setup to go to the Enterprise applications on Azure AD portal and click a link that says 'Click here to switch back to the old app gallery experience.' There you can start the 'Non-gallery application' workflow.

  • Step 7: At this point you might be prompted to sign up for a service to enable SAML through active directory. Azure Professional Tier 2 is sufficient and available for a trial period of one month with 100 users.
  • Step 8: Name the application 7Geese and and click create to continue the setup.
  • Step 9: From the ‘Single Sign-on’ panel, select ‘SAML-based Sign-on’ from the drop down selector.
  • Step 10: From near the bottom of the page, download the generated certificate in base64 mode.
  • Step 11: Click ‘Configure 7Geese’, from the bottom of the page, a new page will open up.
  • Step 12: Keep these page open, and open 7geese within a new tab/window.
  • Step 13: Within 7Geese: At this point we need to get details from 7Geese, Login as an administrator and go to ‘Org settings’
  • Step 14: Within 7Geese: Click on the integrations tab, press the configure button beside ‘Single Sign on’
  • Step 15: Add configuration from Active directory into 7Geese:

7geese: (Issuer) -> AD: Entity ID (e.g https://sts.windows.net/XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX/)
7geese: (Metadata URL) -> Same as above
7geese: (SSO URL) -> AD: SAML Single Sign on URL (e.g https://login.microsoftonline.com/XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX/saml2)
7geese: (SLO URL) -> AD: Sign out URL (e.g https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0)
7geese: X.509 certificate -> Open the previously downloaded .cer file in a text editor. Copy the contents in this field

Note: You can copy over the "App Federation Metadata URL". And use that in 7Geese in https://app.7geese.com/admin/saml/. That URL is the metadata URL and when you select the "Use metadata URL for provider configuration" checkbox we will download all the details. Click Save will update the details.

  • Step 16: Click save settings. When testing SSO you may at this point get this error, because the URL on the Microsffot side still needs to be updated.

In this case, back in the Azure admin portal, fill out the 'Basical SAML Configuration' fields:

The Identifier is our Issuer URL, the "Reply URL" is called "SSO Service URL (Assertion Consumer Service)" in 7Geese. You can optionally fill in the "Logout Url".

Note: Active directory will attempt to login with the current user. This user might have an email address with the suffix .onmicrosoft.com. If this is the case, 7Geese will prompt that the user is not registered in the network (all same users must be previously configured in 7Geese before single sign on will work for them). 

  • Step 20: From 7Geese, click ‘test logging in'. You might still get an error - our team had to assign our test users in the "Users and groups" tab before they had enough permissions in Azure AD to use the application.
  • Step 21: If everything has worked, press Enable SAML on the 7Geese configuration page.

Did this answer your question?